heads
heads copied to clipboard
A minimal Linux that runs as a coreboot or LinuxBoot ROM payload to provide a secure, flexible boot environment for laptops, workstations and servers.
Not all distro put crypttab under /etc/ within initramfs, but finding it at runtime needs unpacking, which may be hard to do, so it is made overridable with a file...
https://doc.coreboot.org/contributing/project_ideas.html#support-power9-power8-in-coreboot Hardware provided by RaptorEngineering - RYF board: [Talos II](https://ryf.fsf.org/news/raptor-talos-announcement)
I currently write the coreboot configuration for the t430s-maximized: ```command # coreboot-t430s-maximized.config CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_LENOVO=y CONFIG_ROM_SIZE=0x01000000 CONFIG_CBFS_SIZE=0xBE0000 CONFIG_HAVE_IFD_BIN=y CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_IFD_BIN_PATH="../../blobs/t430s/ifd.bin" CONFIG_ME_BIN_PATH="../../blobs/t430s/me.bin" CONFIG_GBE_BIN_PATH="../../blobs/t430s/gbe.bin" CONFIG_BOARD_LENOVO_THINKPAD_T430S=y CONFIG_NO_POST=y CONFIG_UART_PCI_ADDR=0 # CONFIG_CONSOLE_SERIAL is not set...
HD wakes up, even when laptop is powered off, resulting in heat and power drain even when shutdown. Changed the spinning drive to sd drive resulting in lower battery drain,...
@osresearch @MrChromebox - TPM reset could check for mounted /boot and if not found, [check if rollback protection is forced](https://github.com/osresearch/heads/blob/c3b0bd6ffbe816430dd41ef54e649af52ed1ff3b/initrd/bin/gui-init#L358-L373) - [seal-hotpkey](https://github.com/osresearch/heads/blob/c3b0bd6ffbe816430dd41ef54e649af52ed1ff3b/initrd/bin/seal-hotpkey) could do the same. Maybe cleaner way is...
TPM2 support
This is very preliminary support for the `tpm2-tools` linked against musl and running in the initrd. This brings in some heavy weight dependencies, like openssl, so it requires a large...
Build system failed again with #807 (Debian:Bulseye) which was fixed by putting the deocker image to debian10 (#808). This tells us that once again, later on in host system upgrades,...
The KGPE-D16 has chassis intrusion headers on the board, as briefly outlined here: https://github.com/lampmerchant/kgpe-d16/blob/main/w83795g-intrusion.md We should look into how this can be implemented in heads so that when the alarm...
Documentation fails to explain SRWD issue: hardware write protect is currently (mostly) not possible
The Heads documentation [suggests](https://osresearch.net/Heads-threat-model/#system-firmware): >Finally, once Coreboot has been flashed into the ROM, the write protect pins on the ROMs can be shorted to ground as an extra layer of...
Current customer concerns: - What do I do if I loose the USB Security dongle. Worst : drown USB security dongle in pool, toilet. - What do I do if...